On Sun, 6 Jan 2002, Michal Zalewski wrote: > On Sat, 5 Jan 2002, zen-parse wrote: > > > Problem: URL handler allows embedded commands. > > May allow email viruses of the Outlook kind. > > > http://address/'&/some/program${IFS}with${IFS}arguments&' > > Isn't that old news? http://www.securityfocus.com/bid/810 > > I *can* be wrong, but it looks like it is the same problem... Not quite, but it seems to be a related problem (ie caused by the shell parsing what it was given). There is some checking for metacharacters done, and if it has any, it puts a single quote around them. However it doesn't check for another single quote. And then, on Sun, 6 Jan 2002, Michal Zalewski wrote: > > Isn't that old news? http://www.securityfocus.com/bid/810 I *can* be > > wrong, but it looks like it is the same problem... > > Ah ok, it is not extactly the same... they "fixed" it... still, I'm pretty > sure I've seen it (things like '`id`') later, in 2000 or 2001 on > BUGTRAQ... What might work as a solution could be changing all "'"s into "'\''"s as it does in another part of the code. Or maybe use a popen that doesn't call a shell. Could've been the X-Chat thing you saw, but I wouldn't be too surprised if there were more things like that in various clients that come with URL handlers. -- zen-parse -- ------------------------------------------------------------------------- The preceding information is confidential and may not be redistributed without explicit permission. Legal action may be taken to enforce this. If this message was posted by zen-parseat_private to a public forum it may be redistributed as long as these conditions remain attached. If you are mum or dad, this probably doesn't apply to you.
This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 07:49:39 PST